Web Application Security Workshop TYPO3 Developer Days 2014

Inspiring people toshare

TYPO3 Developer Days - Eindhoven 2014

Security Workshop

T3DD14 Security Workshop

Helmut Hummel <[email protected]>

20.06.2014

Security Pitfalls vs. Best Practices

1

mailto:[email protected]


TYPO3 Developer Days - Hamburg 2013

Security Workshop

T3DD14 Security Workshop

Agenda• Prequel: trusted hosts pattern explained

• What does Security mean?

• Knowing the enemy

• Pitfalls

• Best Practice

• TYPO3 Security Team

2



Security Workshop

Trusted Hosts Pattern?

3



Security Workshop 4

<?php!!$hostName = $_SERVER['HTTP_HOST'];!echo $hostName;



Security Workshop 5

curl 'http://t3dd14.dev/host.php' ! -H 'Host: google.de'



Security Workshop 6

curl 'http://localhost/t3dd14/host.php' ! -H 'Host: google.de'



Security Workshop 7

telnet t3dd14.dev 80!!

GET http://t3dd14.dev/host.php HTTP/1.1!User-Agent: curl/7.33.0!Accept: */*!Host: google.de



Security Workshop

What does Security mean?

8



Security Workshop

Absence of potential Damage

9



Security Workshop

Protecting Information

10



Security Workshop

Unauthorized access

11



Security Workshop

Unauthorized modification

12



Security Workshop

Loss

13



Security Workshop

CIA Triad

14

Availability

CIA Triad

Integrity

Confidentiality

Information

15



Security Workshop

What is Security?

Security is relative• Security depends on your needs/ kind of Information

• Security depends on a certain point in time

• Security needs to be constantly adapted and improved

16



Security Workshop

What is Security?

Characteristics of Security• There is no absolute Security

• An evironment is only as secure as it‘s weakest point

• Security is an investment

• The efforts for Security must be proportianal to the potential damage

• A system can be called secure, if the effort of compromising it are way higher than the possible gains

17



Security Workshop

Security is a process, not a product.(Bruce Schneier)

18



Security Workshop

General Security Priciples• Least privilege

• Minimize Exposure

• Do not rely on „security by obscurity“

• Defense in depth

19

Defense in Depth

OS

PHP-application

DBMS

Webserver

Server Firewall Proxy

mod_security

suhosinPHP

Harding

security layer(s)

SQL Proxy

20



Security Workshop

Knowing the enemy

21



Security Workshop

Knowing the enemy

Different Motivations

22

• Money

• Influence

• Fame

• Fun



Security Workshop

Knowing the enemy

Different Proceedings

23

• Automated attacks

• Targeted attacks



Security Workshop

Pitfalls

24



Security Workshop 25



Security Workshop

Security Problems

26



Security Workshop

XSS

27



Security Workshop

HTML Contexts• HTML-Element

• HTML-Attribute Value

• JS-Values

• URL Parameter

28



Security Workshop

CSRF

29

<img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" width="1" height="1" border="0">

CSRF

30

http://bank.com/transfer.do?acct=MARIA&amount=100000



Security Workshop

Avoid CSRF• Secret random token in the request

• Save token in session

• One-Time Token may have usability impacts

31



Security Workshop

SQLi

32



Security Workshop

File Handling

33



Security Workshop

Header Injection

34



Security Workshop

Code Injection

35



Security Workshop

Insecure Unserialize

36



Security Workshop

Extbase Security

37



Security Workshop

XSS

38



Security Workshop

Extbase

XSS• Flash Messages

• Context

• Custom View Helpers

39



Security Workshop

SQLi

40



Security Workshop

Mass Assignment

41



Security Workshop

Access Violation

42



Security Workshop

TypoScript

43

page.10 = CONTENT page.10.table = tt_content page.10.where = colPos=0 page.10.andWhere.data = GP:page_id page.10.andWhere.wrap = pid=|

44

page.10 = CONTENT page.10.table = tt_content page.10.where = colPos=0 page.10.andWhere.data = GP:page_id page.10.andWhere.intval = 1 page.10.andWhere.wrap = pid=|

45

page.10 = TEXT page.10.field = title page.10.wrap = <h1 class="c-{field:layout}">|</h1> page.10.insertData = 1 DB : be_users:1:password

46

page.10 = TEXT page.10.field = title page.10.wrap = <h1 class="c-{field:layout}">|</h1> page.10.insertData = 1

47

page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1>

48

page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1> page.10.htmlSpecialChars = 1

49

page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1> page.10.htmlSpecialChars = 1

50



Security Workshop

Best Practice

51



Security Workshop

Best Practice• Every request is an attack as long the opposite is proven

• User input is untrustable

• User input needs to be validated and encoded and escaped right before output

• Encoding and escaping depends on the context

• Separation of Concerns

52



Security Workshop

What is User Input?• $_REQUEST ($_GET, $_POST, $_COOKIE)

• $_FILES

• $_SERVER

• Filenames

• External Services

• Editors are users

53



Security Workshop

How to treat User Input• Validation

• Filtering

• Escaping

• Encoding

54

How to treat User Input

Escaping/ Encoding

User Input

Output

Validate/ Filter

evil™

stop execution?

context!

55



Security Workshop

How to treat User Input• Filter Input

!

!

!

• Escape Output

56



Security Workshop

How to treat User Input• Filter Input

• Check Type

• Check Format

• Check length

• Escape Output

• Context!

• DB, HTML, JS

• Directly before output

57

Separation of Concerns• Security issues are bugs

• Clean code leads to less bugs

• Test Driven Development

• Leave Security to Security Code

58



Security Workshop

TYPO3 Security Team

59



Security Workshop

TYPO3 Security Team

TYPO3 Security Team• Responsible Disclosure Policy

• One communication channel ([email protected])

• Pre-Announcements for critical issues only

• You can support us with sober and precise communication and reading the Security Bulletins carefully

60



Security Workshop

TYPO3 Security Team

CVSS2 Score• It is a calculation to help you to identify the severity of a

Security Issue

• The result are 4 different Scores

• Base Score

• Temporal Score

• Environmental Score

• Overall Score

61

62

63

64

65

Questions?

66

Thank you!

@helhum [email protected]

67

Internet

Web Application Security Workshop TYPO3 Developer Days 2014